Regarding confirmation for CVE-2025-57736 in krb5
Greg Hudson
ghudson at mit.edu
Mon Sep 1 14:32:14 EDT 2025
On 9/1/25 03:02, Ankit Srivastava via Kerberos wrote:
> Hi Team,
> While reviewing Kerberos 1.22.1 release note[...] I have found CVE claim [...]
> But the same has not been mentioned in 1.22 !
I'm not sure what this means. The release notes in the (withdrawn)
krb5-1.22 tarball can't be changed.
> So, does it impact on the user who is using krb5.1.21.3 or prior releases or only the impact on user who has krb5.1.22 ?
Only 1.22 is impacted. Prior releases never had this bug, and 1.22.1
fixes it.
More information about the Kerberos
mailing list